Friday, October 5, 2018

Eventbrite sued over Ticketfly hack | UNLIMITED | CMU


Eventbrite is facing a class action in the US over the hacking of the Ticketfly website back in June. A lawsuit filed with the courts in Illinois earlier this week says that “despite the fact Eventbrite was storing sensitive information that it knew was of value to, and vulnerable to, cyber attackers, Eventbrite failed to take basic security precautions that could have prevented the disclosure of its customers’ personally identifiable information”.

The Ticketfly website went offline in early June following the hacking of the company’s servers at the end of May. At the time the US-based Eventbrite subsidiary stated that “following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident. Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible. Please check back later”.

A week later, with its services resumed, a spokesperson told reporters: “Last week Ticketfly was the target of a malicious cyber attack. In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed. However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed”.

During the downtime, Vice’s tech site Motherboard said that it had been in correspondence with a person who claimed to be behind the hack. That hacker, who goes by the name of IsHaKdZ, claimed that he warned the ticketing company of a vulnerability that gave him access to the firm’s entire database and website. He apparently offered to explain what that vulnerability was in return for one bitcoin, but received no reply to that offer.

Those claims are specifically cited in the lawsuit, which states that: “On information and belief, Eventbrite was notified by the hackers prior to the data hack that its IT systems contained a vulnerability. Nonetheless, Eventbrite failed to take reasonable measures following such communication to either discover and mitigate the vulnerability or follow-up with the source of the communication”.

The lawsuit also claims that Ticketfly didn’t directly inform the plaintiff about the data breach or that her personal details had been exposed during the hack. The legal papers say that said plaintiff – Ticketfly customer Shanice Kloss – only found out about the hack more recently and had to utilise a third party tool to confirm her personal information was among that grabbed by the hacker back in May.

It goes on: “[The] defendant not only failed to protect plaintiff’s and other customers’ personally identifiable information but also failed to inform them of the data breach in a reasonable manner and without undue delay”.

The lawsuit is seeking class action status, so that anyone else affected by the breach could join the litigation. Which – given Ticketfly’s statement that information attached to about 27 million accounts was accessed during the hack – could be significant. The legal papers specifically accuse Eventbrite of breach of contract and negligence, and of violating consumer fraud and deceptive business practice laws in Illinois.

Eventbrite, which acquired Ticketfly from Pandora last year, is yet to comment on the lawsuit.


No comments: